All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Trying to pull the certificate, why do I get "server error" in the GUI and "No such file or directory" in the CLI?

Federica_92
Communicator

Hi everyone,

I'm trying to configure the Splunk Add-on for Check Point OPSEC LEA following this guide: http://wiki.splunk.com/Community:Configure_OPSEC_LEA_input.

After that my checkpoint server manager is configured, I'm trying to pull the log using the add-on, but whenever I try to use the GUI, add the connection, and pull the certificate I obtain " server error", so I tried to pull the certificate via CLI:

 ./opsec_pull_cert  -h ip -n SplunkLEA <password>

and splunk gives me this error:

 bash: ./opsec_pull_cert: No such file or directory

But typing ls, it displays:

opsec_pull_cert  opsec_putkey

What should I do ?

0 Karma

Federica_92
Communicator

yeah, basically the app isn't being done to run on ubuntu, if you look at the prerequisites you will see it. But I discovered it too late : )

0 Karma

jgoddard
Path Finder

I am also having this issue on Ubuntu. The files all have appropriate permissions. I've placed the symlink for libcpc++ into /lib/ verified that I have a current glibc (libc6) and libpam0g-dev installed.

using strings and a grep for .so gives me this list:
/lib/ld-linux.so.2
libpthread.so.0
libresolv.so.2
libdl.so.2
libpam.so.0
libnsl.so.1
libcpc++-libc6.1-2.so.3
libc.so.6

It appears that the issue is due to opsec_pull_cert requiring the i386 versions of all the libraries... I'm about half through installing those, will report back if i either kill my splunk server or get it working...

0 Karma

jgoddard
Path Finder

That was indeed the ticket. On Ubuntu 14.04, adding the following extra packages make it better:
libc6:i386 (pulls in gcc-4.9-base:i386 libc6:i386 libgcc1:i386 )
libpam0g:i386 (pulls in libaudit1:i386)

0 Karma

tskinnerivsec
Contributor

Have you installed all of the required libraries on your server? Do you have network communication between the Splunk server and the checkpoint management server? My experience is that when these things are in place, using the web interface is definitely the easiest way to get it configured.

On a 64-bit Redhat/CentOS 6.x server I've had to do the following:

yum install glibc.i686
yum install pam.i686
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++libc6.1-2.so.3 /lib/libcpc++libc6.1-2.so.3

It seemed the scripts in the TA required these libraries in the couple cases I've worked on.

0 Karma

Federica_92
Communicator

I can't directly connect to internet from the server, I execute :

ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++libc6.1-2.so.3 /lib/libcpc++libc6.1-2.so.3

and it's fine, I also checked if the libraries where already installed using:

apt-cache search libpam0g-dev
apt-cache search glibc

And both of the libraries seems to exists:
libpam0g-dev - Development files for PAM
libc6 - Embedded GNU C Library: Shared libraries
libc6-arm64-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)
libc6-armel-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)
libc6-armhf-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)

How can I update them, without access to internet? I can move file on the server and download the package using my laptop...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...